hxxps://edgeworkflow11[.]azurefd[.]net/auth/supplier[.]html?X-OpenDNS-Session=*EMAIL%20ADDRESS%20REMOVED

General

Target

https://edgeworkflow11.azurefd.net/auth/supplier.html?X-OpenDNS-Session=*EMAIL%20ADDRESS%20REMOVED
Sample

211011-3jxfdsaear

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30916306"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340760679"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0F2CF08-2D57-11EC-B2DB-FE8EF4155406} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340792670"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4227665012"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b23101d3bed701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30916306"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000252af7ee884bee4ab7e0a90f1b1b039f000000000200000000001066000000010000200000004cd590fe583919c89aa38c89fa98af3fb50167038af733d97bffdcf8ef427476000000000e8000000002000020000000314382414a1ba7f1537a9b563bf1b9d779657ff3626ae9f469fd32410c6fc168200000003779127b16e64a9b83603cbb6f3d3b01928636773e019fb93e1e43479d43c79a40000000f2845e50ff8a96ed99ac9e5c90b1b5189ab501101897e66961f16e9ea7e1b64e72004e8bc3e9dad23caf19be4173317a25914f20828e55a802d67e98f7943531	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0746101d3bed701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4227665012"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340744084"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000252af7ee884bee4ab7e0a90f1b1b039f00000000020000000000106600000001000020000000d30746d35d5121575681fc29fb35a5d9cce2f46a8addf6f72d432717ce31193d000000000e8000000002000020000000e9a5e4d22f9c436c919f636ae055f422fd83f195354027436d429c13eb398171200000008e35f7c4af9398aa1694aaf0c48d7c9d0dbd8d5c9ffeb0e714657b987c2946c240000000a1ed96e051cd1c1759b316926d7247798bea860b2f9ffe0831849bb91c2baf638d3a1691b0048ed27a7eb2dc62f8221f315ab94a94f0fc7fffeec959f79934a1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1456 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1456 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1456 iexplore.exe
1456 iexplore.exe
3148 IEXPLORE.EXE
3148 IEXPLORE.EXE
3148 IEXPLORE.EXE
3148 IEXPLORE.EXE

pid	process
1456	iexplore.exe

pid	process
1456	iexplore.exe

pid	process
1456	iexplore.exe
1456	iexplore.exe
3148	IEXPLORE.EXE
3148	IEXPLORE.EXE
3148	IEXPLORE.EXE
3148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1456 wrote to memory of 3148	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 3148	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 3148	1456	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://edgeworkflow11.azurefd.net/auth/supplier.html?X-OpenDNS-Session=*EMAIL%20ADDRESS%20REMOVED
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
MD5
a7963915d5bb0664352fad9efe5af666

SHA1
75cb2172c968a9bdbea947ff82edafc2e122b8d4

SHA256
80cc7b3367b0aeb0d1837a6048dd5b19faf534f27eadfd6a4387421706558490

SHA512
4c768aebc3feccf22edf867be25fc0c245c60611d4d0b4d10d02b723b4cae5b6e93ed7cb2e84b158cb0d3ae6895810f4e3abdae84fb8fa37cdffce4aae3f4744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
MD5
e274632ec0cd71e5c11fd9410ddb0859

SHA1
cc783d3a10fa98d03070bb0b58ef0f86fc4b101b

SHA256
8b5b8b1eaf8e7e1dd658754d97d8b958cc080f36150956e67848863d230031c6

SHA512
578c6c60e8f2ca01b902247123c10fbaf9be479406cd16130128717c269e10847daf557f94c362ab1ed2804936bdde59a5352f6985a8796e8b78726bf93b8a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0F9IMCE8.cookie
MD5
d84a35849b2352abf72f5eecae15ae30

SHA1
369f680571607eed13c64a8997ddf2178b57c71f

SHA256
0a519126a0e21996042a56501fcaaa6524bfd13c8f6da857b9d2013fed7145f2

SHA512
b52a99ec9ea41ecf3b10a1bbe184ed563bd15552556d5a96f987abffb6810e7f3df8a61499a1f9f84cc8d42e056c60ed43243ac07c3c9b0e9bddeb1da753c004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0SX04KJE.cookie
MD5
bc3ed66ef3151e720b61b38c4921615b

SHA1
116102399cea0d9f070219fc549a90a5e707c60d

SHA256
16152fcb172bec1f68c411f02909de907e081bf658eb90ddf49e618958af8744

SHA512
c9d47ccfac34fd969f5ee88e3e5a9e0267cc945d7b75b0cb725214254cf78f802e5af7c96563457eff60d532a8454ecdaad300c3fd9872dd9162676dc069fa6a

Download Submit
memory/1456-141-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-123-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-121-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-146-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-122-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-124-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-126-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-127-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-128-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-130-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-132-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-133-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-134-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-135-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-136-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-149-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-115-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-140-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-114-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-143-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-116-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-120-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-137-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-148-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-150-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-154-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-155-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-156-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-162-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-163-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-164-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-165-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-166-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-167-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-168-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-172-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-174-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-177-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-178-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-119-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-118-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/1456-144-0x00007FF8B5CD0000-0x00007FF8B5D3B000-memory.dmp

Filesize
428KB

Download
memory/3148-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing